icon-zcspm.svg
ZCSPM

Configuring the ZCSPM Agent for Google Kubernetes Engine

ZCSPM provides an agent that can be installed on your Google Kubernetes Engine (GKE) cluster to support the security policies listed in the CIS GKE K8s v1.5.1 benchmark. The agent is container-based and is deployed as a cronjob in your Kubernetes cluster. The agent will collect all necessary data which needs to be checked against the security policies listed in the CIS benchmark. To learn more, see GCP Security Policies.

You must be a License Admin to configure the ZCSPM agent.

Prerequisites

Before you begin setting up the ZCSPM agent, you need to:

  1. Install Google Cloud SDK.
  2. Install and set up kubectl.
  3. Install and set up Helm 3.0 or higher.
    1. Add the ZCSPM Helm repo using the following command:
    helm repo add zcspm https://charts.cloudneeti.com
    1. Verify the Helm repo addition using the following command:
    helm repo list
    1. List the available ZCSPM Helm charts using the following command:
    helm search repo zcspm --versions
    Close

Configuring ZCSPM Agent

To configure the ZCSPM agent:

    1. On the ZCSPM Admin Portal, go to Configurations > Cloud Accounts.
    2. Expand GCP, and click Configure Account next to the cloud account which needs to be associated with your Kubernetes cluster.
    3. Click K8s Cluster Association from the drop-down menu, then click Associate Cluster in the top right corner
    4. Enter the Kubernetes Cluster Name, select GKE from the Cluster Hosting drop-down menu, and click Save.

    1. The zcspm-agent-config JSON file will be downloaded. The JSON file has the information you need to deploy the ZCSPM agent in your Kubernetes cluster:
      • ZCSPM License ID
      • ZCSPM Account ID
      • Cluster Name
      • ZCSPM Environment
      • Cluster Hosting
    2. Along with the JSON file, you need the following information to deploy the ZCSPM agent:

      • To generate the ZCSPM API Key:

        1. Sign up at the ZCSPM API portal.
        2. From the top navigation bar, go to PRODUCTS > Unlimited.
        3. Under Customer-Api, click Subscribe.
        4. Zscaler will then activate your subscription and send you an email confirmation.
        5. After you receive the email confirmation, click on your Username on the top right corner.
        6. Select your profile and click Show next to the Primary key.
        Close

      • To create a ZCSPM API application:

        1. On the ZCSPM Admin Portal, select the License from the drop-down menu in which you want to create a ZCSPM API application.
        2. Go to Configurations > API Access.
        3. Click Create API Application in the top-right corner.
        4. Enter the API Application Name, and select APIs from the drop-down menu.
        5. Select the Account.InsertKubernetesClusterData from the APIs Scope drop-down menu, choose the Token Expiry duration from the drop-down menu.
        6. Set the Secret Expiry date and click Save.
        7. From the pop-up menu, copy the API Application Secret and click Done.
        8. Copy the API Application ID.
        Close
    Close

  • To deploy the ZCSPM agent on your cluster:

    1. Access the Kubernetes cluster using the following command:
    gcloud container clusters get-credentials <Cluster-Name> --zone <Cluster-Zone> --project <ProjectID>
    1. Deploy the ZCSPM agent on the Kubernetes cluster using the following command:
    helm install <release-name> zcspm/zcspm-agent `
 --set clusterName=<cluster-name-as-onboarded-on-zcspm> `
 --set licenseId=<zcspm-license-id> `
 --set accountId=<zcspm-account-id> `
 --set zcspmEnvironment=<environment-prefix (qa/trial/prod/prod1)> `
 --set zcspmApiAppId=<api-app-id> `
 --set zcspmAPIKey=<zcspm-apimgmt-key> `
 --set zcspmAPIAppSecret=<api-app-secret> `
 --set clusterHosting="GKE"

    If you are using VPC Service Controls, ensure they are appropriately configured for GKE clusters.

    Close

  • To verify the ZCSPM agent installation:

    1. Verify the namespace using the following command:
    kubectl get namespace

    NAME                STATUS         AGE
zcspm               Active         11m
default             Active         15d
kube-node-lease     Active         15d
kube-public         Active         15d
kube-system         Active         15d
    1. Verify the ZCSPM agent cronjob deployment using the following command:
    kubectl get cronjob --namespace zcspm

    NAME                   SCHEDULE         SUSPEND        ACTIVE         LAST SCHEDULE           AGE
zcspm-agent            0 12 * * *       False          0              <none>                  18h
    1. Trigger the cronjob using the following command:
    kubectl create job <job-name> --from=cronjobs/zcspm-agent --namespace zcspm


    job.batch/sanity created
    1. Get jobs using the following command:
    kubectl get job --namespace zcspm

    NAME          COMPLETIONS DURATION    AGE
zcspm-agent   1/1         16s         2m12s
    1. Verify the job logs of the ZCSPM agent using the following command:
    kubectl get pods --selector job-name=<job-name> --namespace zcspm

    NAME           READY     STATUS       RESTARTS       AGE
sanity-2jkfc   0/2       Completed    0              46s
    1. Get the ZCSPM agent pod and verify the data was successfully sent to ZCSPM using the following command:
    kubectl logs <ZCSPM agent pod name> -c zcspm-agent --namespace zcspm
    Close

  • If the agent was installed successfully, you can view the policy results on ZCSPM. To view:

    1. On the ZCSPM Admin Portal, go to Dashboard > Compliance.
    2. Click CIS GKE K8s v1.5.1.
      CIS GKE K8s v1.5.1 Benchmark
    Close

Upgrading the ZCSPM Agent

Whenever ZCSPM releases a new agent version, you can upgrade your agent to the latest version using Helm. To upgrade the ZCSPM agent:

  1. Update the ZCSPM Helm repository using the following command:
helm repo update
  1. Upgrade the ZCSPM agent using the following command:
helm upgrade <release-name> zcspm/zcspm-agent --reuse-values

Updating the ZCSPM Agent parameters

You can update individual agent parameters such as API key using the following command:

helm upgrade <release-name> zcspm/zcspm-agent --set <parameter-to-update>=<value> --reuse-values

Roll back the ZCSPM agent to a previous version

If you face any issue with the newly upgraded ZCSPM agent, you can always roll back to a previous version of the agent using the following command:

helm rollback <release-name>

Offboarding your Kubernetes cluster

To offboard your Kubernetes cluster:

  1. Disassociate your Kubernetes cluster from ZCSPM:
    1. Go to Configurations > Cloud Accounts.
    2. Expand any one of the cloud service providers.
    3. Click Configure Account for the cloud account which is associated with your Kubernetes cluster.
    4. Click K8s Clusters Association.
    5. Click the Delete icon to disassociate your Kubernetes cluster from ZCSPM.
  2. Delete the ZCSPM Agent from your Kubernetes cluster:
    1. Connect to your Kubernetes cluster.
    2. List down the Helm releases associated with the ZCSPM agent using the following command:
    helm list
    1. Delete the cluster using the following command:
    helm delete <release-name>

Related Articles
Onboarding a Google Cloud Platform Project AccountOnboarding a Google Cloud Platform Organization Account Configuring the ZCSPM Agent for Google Kubernetes EngineVerifying the Cloud Account Health Status for GCPConfiguring GCP Projects Onboarding Prerequisites using ScriptsConfiguring GCP Organization Onboarding Prerequisites using Scripts